# Cyborg ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrF6ulvnnbnIGlWFZ2%2F-MbrFEAiibuk1qpIgrX_%2Fimage.png?alt=media\&token=0da207df-e3b5-410d-a4e5-a6ab2634956b) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.4.121 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrF6ulvnnbnIGlWFZ2%2F-MbrFYxN8fW5-0G_3Tow%2Fimage.png?alt=media\&token=eec66309-5b91-4443-9442-b541b171b54f) We have two ports: 22 which is running ssh and 80 which is running http ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrF6ulvnnbnIGlWFZ2%2F-MbrFiLT9pU99IaTIf-a%2Fimage.png?alt=media\&token=86d04358-11cd-4685-b69c-2e6c7d5298f3) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 22,80 -oN nmap 10.10.4.121 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrF6ulvnnbnIGlWFZ2%2F-MbrFmAFoHDFcTYOrfGr%2Fimage.png?alt=media\&token=1175639a-fb8a-44f2-8943-6c02aaf697e6) ## Enumeration Lets visit the webserver ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrFzFurL32aoCOnEdC%2Fimage.png?alt=media\&token=bade9613-b8d0-433a-ae34-288807e3edc3) Its a default Apache2 page, lets run gobuster to find hidden directories and files. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrGVvYXAFtGo5UUJPl%2Fimage.png?alt=media\&token=8ac239eb-b895-4cf3-9a6b-6b1fa265aa6d) There is an admin directory, lets go check it out ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrGbthNzg2RxjoykyM%2Fimage.png?alt=media\&token=55f51ca8-3e52-4a51-b50d-e894513e00fc) Its a website with information about a person, lets explore the website and see what we can find. When you go to the Admins tab, you find this information ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrGp56YfiknVBuNCe_%2Fimage.png?alt=media\&token=9095eaf7-c412-4fac-aa86-21763840d598) Looks like there is a backup called `music_archive`. We also get another hit on `gobuster` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrHFrqpDPXAyc2zeGH%2Fimage.png?alt=media\&token=d60d26c4-e0fa-46f9-8db7-972b1a0dc53b) `/etc/` directory , this might be config files that Alex was talking about, lets go visit it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrHWPypgkOzpYrzCqv%2Fimage.png?alt=media\&token=44fa5182-9baa-4275-85b8-7df4ee1fd96e) Clicking on the folder we see some interesting files ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrHboPgfVX1znMFjDo%2Fimage.png?alt=media\&token=bb75b315-0653-458b-8a2c-2861d9faa920) We have a `squid.conf` file and a passwd file. Lets download these to our machine. ``` wget http://10.10.4.121/etc/squid/ ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrINZbdFgmBcqisnBk%2Fimage.png?alt=media\&token=834bd4fe-fbc0-48af-9013-9adbb26f7129) Lets check these files out ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrIpo5p0aQ6YH1UpI0%2Fimage.png?alt=media\&token=43644225-cebd-4268-ad73-cbc8288a8110) Looks like a hash, lets crack this using `john the ripper` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrIwKi-1riKRJ3IOKl%2Fimage.png?alt=media\&token=91f014c9-7751-4fbc-bb31-f8466fdbac31) We found a `password: squidward`. Lets look at the other file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrJBa48An_kULdSkce%2Fimage.png?alt=media\&token=7037c687-e68d-4021-80a5-e4d041c38993) Doesn't look like anything important. One thing we did not find is the achieve file Alex was talking about, so I went to go look for it and found it here. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrJ_OJPSAj_BueBlcJ%2Fimage.png?alt=media\&token=eede2717-46fb-414f-9063-1e5ce09efc17) Lets download this. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrJdqL-3rgB20aFiGs%2Fimage.png?alt=media\&token=e629ba68-b727-4210-828f-ac007bfbd60b) The archive is a `tar` file, lets click ok after selecting save file. Now lets check its contents. ``` tar -xvf archive.tar ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrKbE_npB5rPuPh_am%2Fimage.png?alt=media\&token=45ced3f3-7573-4be8-93fc-4479dcc5a25b) We found these files, I went through many of them and many did not make sense except this one. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrLGKzCd0RyhSeET6G%2Fimage.png?alt=media\&token=db9fbf47-aede-48c0-9a8d-dc453b15ab32) Looking at this information I went to google and searched on this topic and found this [page](https://borgbackup.readthedocs.io/en/stable/usage/extract.html), which I saw that there were commands we could use, so I went to look for the file with which we can use borg commands, which one of them was `GitHub`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrM0mvHm_wogLLikRk%2Fimage.png?alt=media\&token=e5c7e7bc-9caa-4522-a752-c6bed83eb239) Next I went here as it said that it had recent releases. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrMOjhf4w6UK2KHMyq%2Fimage.png?alt=media\&token=947d1a7c-278d-4346-bedf-de362cb2d496) I downloaded the Linux file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrFobZJDtfWpJj_xs7%2F-MbrN2A7pwrdAvftAlSE%2Fimage.png?alt=media\&token=7afbcb6f-f9cb-4bfd-8340-96dccf7fcb3d) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrNK-iMUmq6k3UNQh3%2Fimage.png?alt=media\&token=6c29482a-1626-4f5e-a400-dad229b36149) Lets list the files , I tried using it when I got this message ``` borg list home/field/dev/final_archive ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrNkAHzlF4bbtTf2sv%2Fimage.png?alt=media\&token=38f98476-92a1-456c-aee8-57086079fb89) And so I downloaded the tool, now lets list the files ``` borg list home/field/dev/final_archive ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrNp_8if_IqT7wkNxD%2Fimage.png?alt=media\&token=4941c5e9-1729-4c86-a732-0e48789498e0) Earlier in our enumeration we found a `password: squidward`, lets use that. ``` borg list home/field/dev/final_archive ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrNzg7yQ1MnrTG4oBA%2Fimage.png?alt=media\&token=6e198d5a-605c-447e-9113-8a89245e5999) And it worked, we have an archive file called `music_archive` , now lets extract this file too. ``` borg extract home/field/dev/final_archive/::music_archive ``` Its asks for a password, and I just used the before and it worked. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrP5mk38AIFZMRYIGA%2Fimage.png?alt=media\&token=721d3636-872e-4ab4-b7e3-846b8e1163d1) We extracted a folder called `alex`. Navigating through it, I found this file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrPetSjsc5jXz8-Bav%2Fimage.png?alt=media\&token=39bdbd47-34a6-41fb-a4bb-2f65d2f65517) It has nothing interesting, I also found this file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrPnaSEo5KGWeLkno_%2Fimage.png?alt=media\&token=bcb4fb19-7eda-4da8-bd87-dbab0be355a1) It has a username and password. Lets try to login with these credentials through ssh. ``` ssh alex@10.10.4.121 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrT41oO1TEt5AOGr3q%2Fimage.png?alt=media\&token=1916029a-c8fe-425d-8098-d1850f6d51ae) We are logged in. We can also cat the `user.txt` file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrTOCjkZS7dSH2lA9b%2Fimage.png?alt=media\&token=f37d6ec8-6955-4157-bdfb-e510700d97af) ## Privilege Escalation Lets run `sudo -l` to see what we can run as root. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrTZHTUEiDgm43A_8g%2Fimage.png?alt=media\&token=4e37d56a-4dd3-425e-8c18-a9e7525dff41) Looks like we can run this file, lets see what it does. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrTlC3norG7ZQVZWNP%2Fimage.png?alt=media\&token=bf1dc53a-6975-4ccc-85ba-a6b448494df1) Looking through it, the getopts is something that is interesting, its a built-in function to parse arguments and options to a bash script according to google. This is the [article ](https://sookocheff.com/post/bash/parsing-bash-script-arguments-with-shopts/)that after googling. So for a summary, passing the `bash script -c` arguments , `getopts` will take the command and then parse it to the bash scripts and then executes it. Lets run a bash command. ``` sudo /etc/mp3backups/backup.sh -c bash ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrVVC5EInSpj-xF6ij%2Fimage.png?alt=media\&token=fe88b940-4d19-4c9a-b7f0-b6b1b32cb822) We are now root, but none of the commands worked. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrVczx09M01ecF1kx5%2Fimage.png?alt=media\&token=f723d8c0-6915-41b1-9032-2326cac40ab3) What we have to do is to add a SUID bit on bash then exiting the shell and using the bash binary to get root on the box and execute commands. ``` chmod 4577 /bin/bash exit bash -p cd /root cat root.txt ``` Using these commands we can read the root flag. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbrN6X0dwC35ltBeR9i%2F-MbrWKTzYypmhj_63h3f%2Fimage.png?alt=media\&token=3fd4fe60-daea-45a7-bde9-05029d5b2d68)